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CLAIMS 



1. A system with a local application entity and communications means by which the local 
application entity can communicate with peer remote application entities on other 

5 systems, the communication means including a transport entity for providing transport 
services, and a transport-independent, session-level security entity logically positioned 
above the transport entity and visible to the local application entity, the security entity 
being operative to set up secure communication sessions with peer security entities in 
other systems and comprising: 
10 - key-exchange handshake means for conducting a handshake with a said peer 

security entity associated with a particular remote application entity with which said 
local application entity wishes to communicate, this handshake involving the 
exchange of key-related data for use in generating session keys; and 
secure channel means for enabling messages to be passed between the local 
15 application entity and said particular remote application entity with authentication 

and/or encryption of these messages being effected using the session keys generated 
from said key-related data whereby to secure these messages in passage between the 
cooperating security entities; 
the handshake means being operative when conducting said handshake to exchange 
20 attribute justifications, in the form of one or more certificates, with said peer security 
entity to enable verification by each system that the application entity being contacted 
has the particular attributes, if any, required by its own application entity. 

2. A system according to claim 1, wherein the security entity is capable of establishing 
25 multiple concurrent security sessions with another system over a common transport 

connection set up by the transport entity. 

^^3r-A^ystem according to claim 1, whepeinthe handshake means is operative to indicate 
to said remoteappUcgtion during the rour&e of handshake services and attributes required 
30 of said remote application byTftie45caK^^li<^ion entity, the handshake means being 
further operative to receive back an indioltioq^of attributes that the remote application 
requires of the local application. 
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4. A system according to claim 1, further comprising attribute justification means for 
proving from certificates received form the remote system during said handshake that the 
remote application has the required attributes. 

5. A system according to claim 1, wherein said local application entity is a mediation 
entity acting on behalf of one or more other application entities. 
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^A system according to claim 1, wherein said handshake is a three message handshake 
in the cottreg of which: 

lan key exchange is effected 
; the authentication and/or encryption 
ltly used by the secure channel means for the 



an authenticated ephemeral Di 
a cipher suite is negbti^ted del 
algorithms that will be subs 





security session concerned; 
advisories regarding the attributes required byth^local and remote applications of 
each other are exchanged; and 

justifications for the required attributes are exchanged. 

7. A system according to claim 1, wherein the security entity formats its communications 
intended for the remote peer security entity in protocol data units (PDUs) that each 
include: 

a session indicator enabling the peer security entity to determine to which security 
session the PDU relates; and 

a message-type field by which the peer security entity can determine whether the 
PDU carries handshake-related data or a message being passed over the secure 
channel of the security session indicated by said session indicator. 



